DNSSec Zone TrustAnchors

December 18, 20093 Comments

I started to see this error as I moved servers in my test environment to Windows 2008 R2.

Alert

Name

DNS 2008 Monitor Zone Resolution Alert

Description

Zone TrustAnchors on DNS Server VDC01.Cosiris.local is not responding to queries.

Source

TrustAnchors (VDC01.Cosiris.local)

The MP is DNS 2008 MP v6.0.6480.0 and OpsMgr 2007R2.

I had not seen this before and as i was having some general problems with the test environment I thought that it might be linked. In fact it seems to be a new feature of Windows 2008 R2. A bit of searching brought in some more information on DNSSec (DNS Security).

http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-trust-anchor-03

http://www.dnssec-tools.org/wiki/index.php/Trust_Anchor

http://blogs.technet.com/sseshad/archive/2008/10/30/dnssec-in-windows-7.aspx

DNSSEC in Windows Server 2008 R2

From http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx

A trust anchor is a preconfigured public key associated with a specific zone. Windows Server 2008 R2 supports the configuration of trust anchors by using DNSKEY resource records.

A validating DNS server must be configured with one or more trust anchors in order to perform validation. At least one trust anchor is required if any DNSSEC data is to be validated by the DNS server. Additional trust anchors can be deployed to support islands of trust. DNS server management tools (DNS Manager and Dnscmd.exe) can be used to locally or remotely view and modify trust anchors. Trust anchors apply only to the zone for which they are configured.

If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and will be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns in %windir%\System32\DNS.

The reason it shows up as an alert is that it appears to be a DNS zone in Windows 20089 R2. As I am not intending to run DNSSec I just put an override on this alert.

For a 12:47 video on DNSSec and a link to a deployment white paper go to this link http://edge.technet.com/Media/DNS-Security-DNSSec-Overview/.

Ian

Dec 2009

Advertisement

3 Comments

  1. opexpert
    December 26, 2009 – 6:02 am

    OpExpert is a unified solution to manage the entire IT operations for any organization, small or big. The functionality includes Enterprise Management, Performance Management, Fault Management, Network Performance Management, Server Performance Management, Virtualization Management. http://www.opexpert.com

Trackbacks

  1. TomTheGreat » Blog Archive » SCOM 2007 R2 and Windows 2008 R2 DNS Issues - When its good, its great…
  2. 2008 R2 DC’s and SCOM « www.jayntguru.com
%d bloggers like this: